Received: by 10.213.65.68 with SMTP id h4csp198116imn;
        Tue, 3 Apr 2018 18:44:27 -0700 (PDT)
X-Google-Smtp-Source: AIpwx484ZDLFGRV5JT/pkbzZlbTwWmpQvpKeUAxhl7cMMCMeBagzHPnh4JhuuxuKD9Xo+C51N8GA
X-Received: by 2002:a17:902:6103:: with SMTP id t3-v6mr16596650plj.76.1522806267879;
        Tue, 03 Apr 2018 18:44:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522806267; cv=none;
        d=google.com; s=arc-20160816;
        b=yIhYRq06LqvBRidWTB7aoCJONkxz9t3AsemrtGxfa3V/zZsXAxdkEgaynqe4e9O6sr
         dWhS/S8rUQ0mEDTbtfxebhKh6PfuMg1kooI1OV3LqoEy7lZlABE/7laIlEorKqiZDWjV
         6fPNkSmcjiWEJXNv1GKfSMB1+A/Y+Zt1HcSTJZjCkYRPAy/TKC7SpNJ8szNLtHs9oiC2
         odG0oOeC96Lv0wkMucz/ghiCSDozmwuoCR+sNaZhe2Z33GaFBNCYALvt9obg6PBHOVo7
         tkf+Z6Vp5vRX/XoLsoMpe5RbwRkA3/HLvRBF6B1u0y6iMF0Ow9h6uKnl0Q6ewesYr7Fw
         azEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=XBnKRyOCnT1XrcrbyY+DkwftZB7oyng4fN0ZLQjcwh4=;
        b=JEQY73srfnwO17OSYkI2oFuHLU16qLk73KbJAvKpRZODp1/sQFnQvwyU8ndGYbOFS6
         g3qsvG3PuoNlKoNLlHC4PsR4cUEM0vVkK+YyeuXuXG77CMj0iCNJbbOYKqo8QEUkxLDL
         GpRNvCGE/BesHhhCpnpNrBWWjPjDO8exVqQUrfYHwNDsloGvOCBTvIr+rzBfI/uadRUN
         WYtklxw3w/PQnn5ARdz1LAj/3h4cFCA6Y8cyFyWIc26lrDVyRPWsFCbG37RI74cnr3Q3
         L2svlvYMXxztRhXXdIhZVj2pXpWM7cF+XSbVdjNDfgr4IxN0hj7Zf6M1xkLAMNRKK1oh
         rmKw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=caem7X/S;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=OXBc40hs;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 31-v6si4264673plj.703.2018.04.03.18.44.13;
        Tue, 03 Apr 2018 18:44:27 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=caem7X/S;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=OXBc40hs;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754861AbeDDBnJ (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 3 Apr 2018 21:43:09 -0400
Received: from mail-io0-f171.google.com ([209.85.223.171]:41804 "EHLO
        mail-io0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753733AbeDDBnG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Apr 2018 21:43:06 -0400
Received: by mail-io0-f171.google.com with SMTP id m83so24318671ioi.8;
        Tue, 03 Apr 2018 18:43:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=XBnKRyOCnT1XrcrbyY+DkwftZB7oyng4fN0ZLQjcwh4=;
        b=caem7X/SJiPeol36MPsnj7iqQHL7QmN0OpiMsFMFJ9u9QcQ7wC21RtsDbkpBK86mhv
         oUJtJg0cm9c+8pxAwLkblHLIMdS3LWzeYE4/WpmjhdNfPIqzdz0trXvO8zmKHePLBIo+
         rKnfDJaBsmtEQhYaYeN8U9BtxAPOTLeUxXzgSh/UlK3PaRczZL9luhywyesAP6LB3ihd
         hdLoWCD8qbEpDzggIifEWNRc6OMZiqKDpPfVevL0YCx2NTaYv65OQGAdLXFbucvLHTFE
         RlYGBr1hZfEievtD/50CzRwe69Rq/0vmqt4bfFSWLd9akzhKqdeKZfMJNv3CI7q23xLP
         hSHg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=XBnKRyOCnT1XrcrbyY+DkwftZB7oyng4fN0ZLQjcwh4=;
        b=OXBc40hsREb9FAxihEEMlTC0RFiT+zFZ9m/d5EBh7n+n32q0y/Prp1OgqbyOUimITP
         kt3m9hrajgfmB6WSgutD8L/CMXpc+p+AclXgHl1yioRHriCwgNz9+4JSH59sri1+RMy2
         LZeIsN030IoyDoA3+flxcacxDkQUXLHzNneco=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=XBnKRyOCnT1XrcrbyY+DkwftZB7oyng4fN0ZLQjcwh4=;
        b=dDY2d0WPNg9hvnWHKIOLzmNIa1jm76t1BKPT4OPIBeLHxV1Mh7o/wktcB10el4XVlY
         sq8oxO2E4bLgHBV0Ng/i+PePa6r3PGshtL5Dhrm6adhaX9WghUjs6TMYugAtm1ljNnJM
         uGwqVv+epAU7CNU3rWZbZm50lEOvwOMxytXWWkTxNK4quYe2kmKyFfhmaL8WL8Mzwnva
         qjnAjSN/T61AKaVtjfF5LndViLDivdTzoPYhOWOjLNo6VeIVrvUa3AZNP9qowOaAcwZP
         /3UFVIrehBD043XLLd8E5pFKeIl3RJCaBLLs7uB90Ivz06NvZoQUBlvKh0v8FAKT3WUE
         3hPA==
X-Gm-Message-State: ALQs6tCQYhDlFW7VlqLQoWJTVuxYgGpkN80ew37IlielLRJ5/PBkLBnT
        OItJ0JjFBcK1DIhGgotnKt7Dnxjm+HC5LTPNCqvwLQ==
X-Received: by 10.107.164.13 with SMTP id n13mr15277718ioe.238.1522806184985;
 Tue, 03 Apr 2018 18:43:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.95.15 with HTTP; Tue, 3 Apr 2018 18:43:04 -0700 (PDT)
In-Reply-To: <CACdnJuuek-sS3esmomNOkjBMV_6VPL2NFCzRd+UGxbZrMe=4nw@mail.gmail.com>
References: <4136.1522452584@warthog.procyon.org.uk> <alpine.LRH.2.21.1803311145180.7769@namei.org>
 <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk>
 <CALCETrUFOdrH5ShCCd8yguGjC2NtG8fJY7AW26HH467-02UVGA@mail.gmail.com>
 <CACdnJut31+ZtiR40nkOjm89cfUxS0EM=w-oG69PtWHbXYJQxPg@mail.gmail.com>
 <CALCETrXeVod=kNpG-M7yKAMM0-n+PMg_OakN6ecWrTPmKXgMLg@mail.gmail.com>
 <9758.1522775763@warthog.procyon.org.uk> <CALCETrWHS9p1My=j07=V=OP7v4SwQkW-kJ3JOx6EbPU8fb_XEQ@mail.gmail.com>
 <13189.1522784944@warthog.procyon.org.uk> <CALCETrX4CuHVpn38R24TCcJgCBLSbh-sOD-qcD5kYF8Zo53ZJw@mail.gmail.com>
 <9349.1522794769@warthog.procyon.org.uk> <CALCETrV6E+r942K+fu-ALNf-x6qOZ3o1hNKGeu7qEMvr8sMP9A@mail.gmail.com>
 <CA+55aFxKzxdRZthzaokaGPAsWCp3a-p3aVfJSutF+9Fp9sbaVA@mail.gmail.com>
 <CACdnJusSfwULV-ubvgtYd8G_cTF4LnJ4DAeTCux4XRhHKVpBUw@mail.gmail.com>
 <CA+55aFzG==xr2OLK8F03RH0nkUDeP6btWqepFTuHZqkPTAOWjQ@mail.gmail.com>
 <CACdnJuv_=ihPut=5OvCYEphdBOn7+JrKacBbNa0n3wv_JvFMzg@mail.gmail.com>
 <CA+55aFyWNok1K-Jo3TQAXGXHvFOTvuOb-Hw977B9RGjBa7prrg@mail.gmail.com>
 <CACdnJutZFKX+izBxRYbyxefT5KrKhVV0XsymU=vBhywd+TOE3A@mail.gmail.com>
 <CA+55aFwVUmjZ+Swe9xUdDOEE+EOoaU3dh7BcrH74BOLCi8y_Kw@mail.gmail.com>
 <CACdnJuvqQQ+hidokY5GA7g-yrAs5-358it0cs+m_d4RFDMuB_w@mail.gmail.com>
 <CA+55aFwJBGCr-anrdV9N63fUH4V_QJqgr0_fJyHhH=fuqGAoog@mail.gmail.com>
 <CACdnJuvFqXGLsAv1Km3MmdssHBfuH5-C_vG3A4eq4Yuj0HhFBA@mail.gmail.com>
 <CA+55aFzYbpRAdma0PvqE+9ygySuKzNKByqOzzMufBoovXVnfPw@mail.gmail.com>
 <CACdnJuv-VpdhjEe1cMysdHb6Oy67jQqg-_TVHbUrOfH9GmCVvg@mail.gmail.com>
 <CA+55aFwvuoSHhKnn82VnDndZ6oXMJgwHF604gZ=h3ehHyC600A@mail.gmail.com>
 <CA+55aFzJ2sQR13T+20MKEJ5co-f3Ev8rRxQkRCWVaeDSUU3yhQ@mail.gmail.com>
 <CACdnJuti5Riqoi1sesqPALYHq9LT87o4MFj-0Y5BZqqzJ5579g@mail.gmail.com>
 <CA+55aFwhi=gz3HLoGST9--n1_kLJNP6jsf8GSesSFxTDCdPdtQ@mail.gmail.com> <CACdnJuuek-sS3esmomNOkjBMV_6VPL2NFCzRd+UGxbZrMe=4nw@mail.gmail.com>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue, 3 Apr 2018 18:43:04 -0700
X-Google-Sender-Auth: jQebqk9CTwdcP7Wc4BLmF_wWETM
Message-ID: <CA+55aFxgrh5eeG9MRSEsJtyL5yTe0TehZ=BS2josGJaLxoMMBQ@mail.gmail.com>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
To:     Matthew Garrett <mjg59@google.com>
Cc:     Andrew Lutomirski <luto@kernel.org>,
        David Howells <dhowells@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        James Morris <jmorris@namei.org>,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Justin Forbes <jforbes@redhat.com>,
        linux-man <linux-man@vger.kernel.org>, joeyli <jlee@suse.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 3, 2018 at 6:13 PM, Matthew Garrett <mjg59@google.com> wrote:
>
> There are four cases:

No.

Matthew., stop with the agenda already.

This shit is what I'm talking about:

> Verified Boot off, lockdown on: Perception of security improvement that's
> trivially circumvented (and so bad)

You're doing some serious value judgement that is simply bogus.

If lockdown actually helps avoid CPL0 execution attacks, then it helps
even if secure more is off.

Sure, you can do things like try to install kernels and reboot, but
honestly, that's not "trivially circumvented". It can be quite hard to
hide even if you don't have secure boot. Things like disk encryption
(common for a lot of people) for example means that you simply won't
be booting that machine without the user noticing.

Or think of virtual machines - which people often use on purpose for
security things. Again, they very much are _not_ going to have secure
boot, but it's not necessarily even possible to "replace the kernel
and reboot" at all, because the kernel came from outside the virtual
machine entirely, and rebooting might just kill the VM rather than
restart anything.

So I really think you're pushing this whole "not secure boot" means
"trivial circumvention" much much too hard.

To the point of it being an outright lie.

I think the kind of people who run stuff in virtual machines could
easily want to also enable lockdown measures, simply to reduce the
attack window within that VM. Wouldn't you agree? Those are often
security-conscious people.

This is what I mean by having an agenda.  We all know you are a big
proponent of secure boot. But it seems to cloud your arguments, by
turning your assumptions and your agenda into an "argument" that is
simply not even TRUE.

See what I'm unhappy about?

> Verified Boot on, lockdown off: Perception of security improvement that's
> trivially circumvented (and so bad), status quo in mainline kernels

I think this is entirely false too. Again, the "trivial circumvention"
shows a bias and agenda that isn't really all that true.

> Of these four options, only two make sense.

No.

You say that, because you have that bias and that agenda.

But that simply doesn't make it true.

Now, what actually seems to be a real and valid argument is *this* part:

> This makes it easy for a user to switch
> between the two states that make sense by running a single command and then
> following some prompts on the next reboot. The alternative would be to
> provide a signed kernel that always enabled lockdown and an unsigned kernel
> that didn't, which would (a) increase load on distributions and (b) force
> users to both run mokutil --disable-validation and also install a different
> kernel.

THAT is an actual argument. Admittedly I think it's a horrible hack,
but it's a hack that can be explained without outright lying. And it
may be a hack that is "the best we can reasonably do"

See what I'm saying?

One argument is based on your value judgments that not everybody else
believes in.

The other argument is based purely on cold hard particular facts.

Guess which argument is better for people who aren't Matthew Garrett?

That said, wouldn't it be equally good to just make the whole thing be
a protected EFI variable instead? Once you have physical access to the
EFI shell (to turn off secure boot) you have access to that too.

Which would allow the "switch off/on" case even if there are other
reasons why changing secure boot isn't a great option (possibly
because secure boot isn't an option to begin with due to being so
invonvenient).

              Linus